PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.

Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.

Important: Things where more testing and other measures can help.

Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.

Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.

Now this is a great concept. You can actually make a DVD to install the patches before you connect a PC (that's out of date on patches) to the Internet. If you think you can safely do that without this tool, take a second and think it through knowing that some of your friends needing a house call might have a USB connected DSL or cable modem and therefore not be using NAT, next take a look at the survival time and think how long it takes to get a windows system from original media to a fully patched status.

So, if you're going to visit parents, family or friends over the holidays, start your preparation now and make that disk today to take along. It'll improve the obligatory "Could you take a look at our computer while you're here?" response time dramatically and gives you a safe way to reinstall systems without a hardware based firewall.

If you have networks that you do not want to connect to the Internet cause the risks involved of doing that are just too big for the sensitivity of the involved data this might also become a way to patch those off-line machines.

Update: Simon wrote in mentioning AutoPatcher as an alternative solution.

Update: "Mads" reminded us Microsoft makes available ISO images with some of the patches on a monthly basis.

The wasn't intended to be released and hence has been pulled. See the MSRC blog for more details.

Microsoft is also recommending to uninstall the patches, although to be honest I've no idea how to actually do that.

A reader wrote in pointing out the standalone download .dmg image did contain in its instructions:

"This update does not include an uninstall feature. To restore your application to its original state, delete it from your hard disk, reinstall it from your original installation disk, and then install the updates you want."

So I guess we'll be dragging Office to the waste basket, search for the DVD and start having to register the software all over and then download a bunch of patches.

This vulnerability only affects Windows 2000 Server, Service Pack 4 that has RIS installed that allow anonymous access to the system that serves the installation items. If there is anonymous access, a remote user could view, change, delete data or create accounts including having malware installed on systems installed by RIS. It is possible to exploit this vulnerability over the internet if the network permissions were set that poorly to allow anonymous access to everyone. A simple firewall would prevent this vector. The patch removes the vulnerability by not allowing anonymous TFTP users write access on the file structure.

This vulnerability has not been disclosed publicly and Microsoft reports no indication of active exploitation of this vulnerability.

Microsoft ranks this update as important, however the very specific OS version needed and other mitigating technologies make this an unimportant patch for all but a few users.

We will update issues on this page as they evolve.We appreciate updatesUS based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.

Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.

Important: Things where more testing and other measures can help.

Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.

Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.

All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

The Simple Network Manamgenet Protocol (SNMP) service is vulnerable to a buffer overflow. This service is typically used to manage network devices. Home users are not likely to have this service installed. However, many larger networks will use SNMP to controlle and monitor networked workstations and servers.

Accoridng to a note from Dave Aitel, Immunity released an exploit for this vulnerabilty to its customers.

In order to disable this service, or to check if it is running, use the "services" tab in your control pannel and make sure the 'SNMP Service' is not running. You will not see an entry for SNMP service if it is not installed.

This patch is a "patch now" for all networks that use SNMP. It runs as "system" and a succesfull exploit would provide an attacker with full access. The Microsoft bulletin only talks about port 161 UDP for this vulnerability. So one can assume that SNMP trap messages are not affected.

This bulletin addresses four vulnerabilities for Internet Explorer. Two allow for remote code execution and two allow for information disclosure. According to Microsoft, this does not affect Internet Explorer version 7. Since many organizations are still running version 6, it is very critical that you patch this ASAP if you haven't upgraded yet. This bulletin replaces MS06-067. There is also a link provided by Microsoft on possible issues that may arise as a result of this patch: http://support.microsoft.com/kb/925454

DHTML Script Function Memory Corruption Vulnerability - CVE-2006-5581When Internet Explorer interprets certain DHTML script function calls to incorrectly created elements it may corrupt system memory in such a way that an attacker could execute arbitrary code.

TIF Folder Information Disclosure Vulnerability - CVE-2006-5578The issue lies in how Internet Explorer handles drag and drop operations and would allow for files to be accessed on the user's system in the Temporary Internet Files Folder.

TIF Folder Information Disclosure Vulnerability - CVE-2006-5577This one is similar to the previous vulnerability discussed, however the vulnerability reveals the path to the Temporary Internet Files Folder and allows it to be accessed and files to be retrieved. According to Microsoft, this requires actions on the user's part for this to occur.

This advisory addresses 2 vulnerabilites in the Windows "Media Format Runtime" which is utilized by applications using Windows Media Content.The unchecked buffer and URL parsing vulnerabilities could result in full system compromise if exploited.An attacker would create a malicious Advanced Streaming Format (.ASF) file or a malicious Advanced Stream Redirector (.ASX) file and present it to a vulnerable client through a malicious URL, an email attachment or perhaps through a malicious IFRAME or redirect.

These vulnerabilities poses the most risk to systems which are used for web surfing or for checking email. Especially if the user is logged in as Administrator or if an unrestricted or lower than High zone Internet Explorer browser is being used. MS Outlook default restrictions might shield a user, but clicking on a URL within an email launches a browser outside of those restrictions.

Note: Known exploits have been circulating for CVE-2006-6134 (ASX).

Note that it may take several patches to update a system. Windows Media Player 6.4 is patched differently than the Media Format Runtime. It may be a challenge to assess the posture of any given system in regards to these two vulnerabilities short of utilizing the Microsoft tools.

Microsoft has release bulletin MS06-075 which addresses a local privilege escalation vulnerability affecting Windows XP SP2 and Windows Server 2003 in the client/server run-time subsystem (csrss) which is a required component of Windows (in other words, it is always running on all Windows machines). Note, Vista and Windows Server 2003 SP1 are claimed not to be affected at this time, as is Windows 2000 SP4.

We rate this one as important. If someone can get access to the system via other means (cracked password, etc.) this vulnerability allows that person to elevate their privileges to become administrator by running a specially crafted executable.

References: KB923694Severity: Highly Important to Workstations, lesser for servers

This update is a cumulative update for Outlook Express versions 5.5 and 6. It addresses a remote code execution problem involving Windows Address Book (or .wab files). The vulnerability exists in a component of Outlook Express which could allow an attacker who sends a specially crafted address book file to an unpatched system to take control of that system. The vulnerability does not contain any privlige escalation capabilities. If the attacker successfully exploits this vulnerability, he or she would gain the same access rights as the logged in user. So please remember to configure end user accounts with as few of privlidges as possible.

I would recommend that this update or the registry change workaround to any client workstations as soon as possible.

This update replaces MS06-016 and MS06-043 as it is a cumulative update.

This one is "highly critical". A working exploit is already available for Metasploit.

The WMI Object Broker is a special ActiveX control which is used by Vsiaul Studio 2005. An attacker would use a malicious web page to exploit it. You have to have Visual Studio 2005 installed in order to be vulnerable. The vulnerable file is WmiScriptUtils.dll.

As with other ActiveX features, Internet Explorer 7 will mitigate them somewhat as you have to "opt-in" to individual ActiveX controlls in order to use them. The restricted mode in Windows 2003 will turn off ActiveX as well, limiting exposure.

What you should do:- On a client with Visual Studio 2005 installed: Patch now.- On a client without Visual Studio 2005: you should not have this control.- On a server: Check if you are using the "Enhanced Security Configuration" for MSIE. The patch is unlikely to apply.

I do recommend upgrading to Internet Explorer 7 if you are regularly using Internet Explorer.

Will drew our attention to an interesting read in Stefan Esser's blog. It's about his resignation from the PHP Security Response Team. It's interesting to note that he both discovered and reported about PHP vulnerabilities in the past.

It seems the bottom line will be that we can expect some changes in how vulnerabilities in PHP are going to be handled in the future. It might include advisories about vulnerabilities without there being patches available. It might also mean an increase in the number of reported vulnerabilities.

Anyway it'll be worth it to add his PHP security blog to your routine if you need to know about PHP vulnerabilities.

Announcements about security vulnerabilities in widely deployed open source software without the matching patch is a very dangerous situation, so we hope this doesn't escalate too far.